1、无壳,TASM / MASM
上一个的2.0版本,
2、OD载入
搜索字符串,定位事件
00401273 . 6A 00 push 0x0 ; /IsSigned = FALSE
00401275 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4] ; |
00401278 . 50 push eax ; |pSuccess
00401279 . 6A 64 push 0x64 ; |ControlID = 64 (100.)
0040127B . FF35 50314000 push dword ptr ds:[0x403150] ; |hWnd = 00010E94 ('TEXme v2.0',class='CTEX')
00401281 . E8 BC010000 call <jmp.&USER32.GetDlgItemInt> ; \GetDlgItemInt
00401286 . 837D FC 00 cmp dword ptr ss:[ebp-0x4],0x0 ; 读Serial,转int
0040128A . 74 5F je XChafe_2.004012EB
0040128C . 50 push eax
0040128D . 6A 14 push 0x14 ; /Count = 14 (20.)
0040128F . 68 6C314000 push Chafe_2.0040316C ; |Buffer = Chafe_2.0040316C
00401294 . FF35 54314000 push dword ptr ds:[0x403154] ; |hWnd = 00010E98 (class='Edit',parent=00010E94)
0040129A . E8 AF010000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
0040129F . 85C0 test eax,eax ; 读Name
004012A1 . 74 48 je XChafe_2.004012EB
004012A3 . A1 0B304000 mov eax,dword ptr ds:[0x40300B]
004012A8 . BB 6C314000 mov ebx,Chafe_2.0040316C
004012AD > 0303 add eax,dword ptr ds:[ebx]
004012AF . 43 inc ebx
004012B0 . 81FB 7C314000 cmp ebx,Chafe_2.0040317C
004012B6 .^ 75 F5 jnz XChafe_2.004012AD
004012B8 . 5B pop ebx
004012B9 . 03C3 add eax,ebx
004012BB . 3105 D9124000 xor dword ptr ds:[0x4012D9],eax ; [0x4012D9] = 00584554
004012C1 . C1E8 10 shr eax,0x10
004012C4 . 66:2905 D9124>sub word ptr ds:[0x4012D9],ax
004012CB . BE EC114000 mov esi,Chafe_2.004011EC
004012D0 . B9 3E000000 mov ecx,0x3E
004012D5 . 33DB xor ebx,ebx
004012D7 . EB 04 jmp XChafe_2.004012DD
004012D9 > 54 push esp ; [0x4012D9~DC]自修改
004012DA 45 db 45 ; CHAR 'E'
004012DB 58 db 58 ; CHAR 'X'
004012DC 00 db 00
004012DD > AD lods dword ptr ds:[esi]
004012DE . 33D8 xor ebx,eax
004012E0 . 49 dec ecx
004012E1 .^ 75 FA jnz XChafe_2.004012DD
004012E3 . 81FB FBCFFCAF cmp ebx,0xAFFCCFFB ; 关键比较
004012E9 .^ 74 EE je XChafe_2.004012D9
004012EB > 68 59304000 push Chafe_2.00403059 ; /Your serial is not valid.
004012F0 . FF35 5C314000 push dword ptr ds:[0x40315C] ; |hWnd = 00010E9C ('Your serial is not valid.',class='Edit',parent=00010E94)
004012F6 . E8 7D010000 call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA
004012FB . 33C0 xor eax,eax
004012FD . C9 leave
004012FE . C2 1000 retn 0x10
00401301 . 68 73 30 40 0>ascii "hs0@",0 ; YES! You found your serial!!
00401306 . FF35 5C314000 push dword ptr ds:[0x40315C] ; |hWnd = 00010E9C ('Your serial is not valid.',class='Edit',parent=00010E94)
0040130C . E8 67010000 call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA
00401311 . 33C0 xor eax,eax
00401313 . C9 leave
00401314 . C2 1000 retn 0x10
转成C语言大概是:
int main(){
int i, j;
char name[20]={0}; //[0x40316C]
char serial[20]={0};
// char m[4]={0x54, 0x45, 0x58, 0x00};
char *m;
char n[] = {0x55, 0x8b, 0xec, 0x83, 0xc4, 0xfc, 0x8b, 0x45, 0xc, 0x83, 0xf8, 0x10, 0x75, 0xd, 0x6a, 0x0, 0xe8, 0x6b, 0x2, 0x0, 0x0, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x83, 0xf8, 0xf, 0x75, 0xe, 0x8b, 0x45, 0x8, 0xe8, 0x18, 0x1, 0x0, 0x0, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x83, 0xf8, 0x1, 0x75, 0x6, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x3d, 0x11, 0x1, 0x0, 0x0, 0xf, 0x85, 0xe7, 0x0, 0x0, 0x0, 0x8b, 0x45, 0x14, 0x3b, 0x5, 0x60, 0x31, 0x40, 0x0, 0x75, 0x1a, 0x6a, 0x0, 0x68, 0x96, 0x30, 0x40, 0x0, 0x68, 0xa7, 0x30, 0x40, 0x0, 0xff, 0x75, 0x8, 0xe8, 0x17, 0x2, 0x0, 0x0, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x3b, 0x5, 0x58, 0x31, 0x40, 0x0, 0x74, 0xc, 0x3b, 0x5, 0x54, 0x31, 0x40, 0x0, 0xf, 0x85, 0xae, 0x0, 0x0, 0x0, 0xc7, 0x5, 0xd9, 0x12, 0x40, 0x0, 0x54, 0x45, 0x58, 0x0, 0x6a, 0x0, 0x8d, 0x45, 0xfc, 0x50, 0x6a, 0x64, 0xff, 0x35, 0x50, 0x31, 0x40, 0x0, 0xe8, 0xbc, 0x1, 0x0, 0x0, 0x83, 0x7d, 0xfc, 0x0, 0x74, 0x5f, 0x50, 0x6a, 0x14, 0x68, 0x6c, 0x31, 0x40, 0x0, 0xff, 0x35, 0x54, 0x31, 0x40, 0x0, 0xe8, 0xaf, 0x1, 0x0, 0x0, 0x85, 0xc0, 0x74, 0x48, 0xa1, 0xb, 0x30, 0x40, 0x0, 0xbb, 0x6c, 0x31, 0x40, 0x0, 0x3, 0x3, 0x43, 0x81, 0xfb, 0x7c, 0x31, 0x40, 0x0, 0x75, 0xf5, 0x5b, 0x3, 0xc3, 0x31, 0x5, 0xd9, 0x12, 0x40, 0x0, 0xc1, 0xe8, 0x10, 0x66, 0x29, 0x5, 0xd9, 0x12, 0x40, 0x0, 0xbe, 0xec, 0x11, 0x40, 0x0, 0xb9, 0x3e, 0x0, 0x0, 0x0, 0x33, 0xdb, 0xeb, 0x4, 0x54, 0x45, 0x58, 0x0, 0xad, 0x33, 0xd8, 0x49, 0x75, 0xfa, 0x81, 0xFB, 0xFB, 0xCF, 0xFC};
// DWROD D9 = 0x00584554;
scanf("%s", name);
scanf("%s", serial);
DWORD x = 0x58455443; //[0x40300B]
for(i=0; i<16; i++){
x += *(DWORD *)(name + i);
}
// printf("%X\n", x);
x += int(Serial);
// printf("%X\n", *(DWORD *)m);
m = n+237;
printf("%X\n", *(DWORD *)m);
*(DWORD *)m ^= x;
x >>= 0x10;
*(WORD *)m -= x;
printf("%X\n", *(DWORD *)m);
// *(DWORD *)m = 0x585426EB; // 关键值
DWORD ebx = 0, eax = 0;
for(j=0; j<0x3E; j++){
eax = *(DWORD *)(n + j*4);
ebx ^= eax;
// printf("%02X, %08X, %08X\n", 0x3E - j, eax, ebx);
}
// printf("%X\n", ebx);
if(ebx == 0xAFFCCFFB)
跳向成功;
else
失败;
return 0;
}
n 是 0x4011EC到0x4012E3的字节数组。
m是 [0x4012D9~DC]会被修改的地方。
第一个for循环:从name数组循环取值相加,再加上基础值 x (0x58455443),然后加上 int(serial)。
第二个for循环:从0x4011EC开始,取DWORD与ebx做异或运算,结果存到ebx中。
最后ebx与0xAFFCCFFB比较。
逆向目标是求int(serial)。
分析过程有点绕,表达的不是很清晰,跳过了。
3、注册机
void Decrypt(){
char name[20] = {0};
printf("Name:");
scanf("%s", name);
DWORD x = 0x58455443;
for(int i=0; i<16; i++){
x += *(DWORD *)(name + i);
}
printf("Serial:%u", 0x580C3BA3-x);
return;
}